Hardware Transactional Memory (HTM) is a mechanism in computer architecture for supporting parallel programming. With HTM, programmers may simply declare a group of instructions as a transaction and the HTM system guarantees that the instructions in the transaction are executed in an atomic and isolated way. Atomicity means that all the instructions of the transaction are executed as a single atomic block with respect to all other concurrent threads of execution. Isolation means that no intermediate result of the transaction is exposed to the rest of the system until the transaction completes. HTM systems may allow transactions to run in parallel as long as they do not conflict. Two transactions may conflict when they both access the same memory area and either of the two transactions writes to that memory area.
Many existing HTM designs present correctness and/or security issues in the presence of program control transfers, such as transfers to an operating system in response to a system call, exception, interrupt, signal, or other event. Traditionally, such program control transfers may occur transparently to the HTM system. If such a transfer occurs during transactional execution, operating system code may be executed as part of a transaction. This may cause problems with correctness and/or security. In some traditional systems, if the transaction is aborted while executing in the operating system, unexpected side effects may occur.
In one example, consider a TCP/IP network device driver. When receiving a packet from the network, an interrupt is triggered to execute the device driver code. Suppose that the processor receives the interrupt while running an application transaction. The program control would be transferred to the device driver and under a traditional HTM system, the driver would run as part of the transaction since the traditional HTM design simply considers all the instructions between the start and end of the transaction to be part of the transaction.
This behavior may cause at least two problems. First, a system failure may occur if the transaction is aborted while the device driver code executes. For example, if the device driver is configured to write memory-mapped registers to manage the network interface hardware, and is aborted in the middle of changing the register values, the interface hardware may be left in an inconsistent state, breaking the integrity of the network system. Additionally, in the example given above, aborting the transaction during or after the device driver executes as part of the transaction may cause the network connection to lose packets. For example, after the driver code processes a packet, the driver sends an acknowledge message to the packet sender. At this point, the sender may delete the packet since there is no need for retransmission. However, if the transaction is later aborted, the memory write operations that were used to store the packet on the receiver may be rolled back and the packet may be permanently lost, thereby violating the reliable communication guarantee of the TCP/IP system.
Second, security issues are another side effect of transparently jumping to operating system code as part of a transaction. Many modern processors support security features to separate operating system and application code execution. For example, the x86 architecture allows an operating system and applications to use different code segments and privilege levels (e.g., user-level vs. kernel-level privilege) by switching the code segment selector at the boundary of system calls. However, traditional HTM systems often do not checkpoint and manage some parts of processor state, such as the code segment selector. When a transaction that originates in user-level code executes a system call to the operating system, the privilege level is increased. If the transaction aborts, a traditional HTM may not be configured to restore the privilege level to the lower level. Accordingly, a security leak may result. Malicious programs may be able to take advantage of this security hole to acquire an operating system privilege level after a transactional abort.